859949 matches found
GNUnet P2P Framework 0.26.2
GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP IPv4 and IPv6, TCP IPv4 and IPv6, HTTP, o...
Malicious code in vite-common-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b1d3397d754ffeb3726496769b2f159ce8596b2233b5875afa8f7fbca29ed0fd The package presents itself as a Vite utility library but its only export, loadFilbetScriptSilently, creates a element whose src is hardcoded to...
CVE-2026-54386
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
Malicious code in ai-chat-helper (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 39a12d35a8713a8f63eaf342901214a7f53fa396b9ee8218d246e5e0db7b6318 collect.js performs system reconnaissance and exfiltration to a hardcoded attacker-controlled host. The script imports childprocess, os, fs, http, an...
CVE-2026-12568 Arbitrary File Write in postman_download module
The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...
CVE-2026-12568 Arbitrary File Write in postman_download module
The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...
Malicious code in @array-util/nodepull (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcafb3a6336948fd12673cfe88d505e2a036afcfb5e9ee5d4b850cf982753d9b @array-util/[email protected] ships a single 19 KB obfuscated index.js as its main entry. On require/import, the IIFE silences process error handlers vi...
CVE-2026-12565 Path Traversal (Zip-Slip) in unarchive module
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools e.g. GNU tar which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extractio...
CVE-2026-12565 Path Traversal (Zip-Slip) in unarchive module
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools e.g. GNU tar which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extractio...
CVE-2026-54386 marimo < 0.23.9 XSS via file Query Parameter in assets.py
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
CVE-2026-54386
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
EUVD-2026-37809
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
Malicious code in dotenv-sync (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 8fa0ec08d0cd452a37bf602615f61dfbbdab27d55180f1e09f53a218b18673f5 During import, package loads embedded native extension module. This library hooks on loading, spawns a new system process and likely attempts to inject the...
Malicious code in disksweep (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 3bc79bc0cdfcad5c0e383a83f621365a84be1090e44364974ee8ec2bf1a12942 During import, package loads embedded native extension module. This library hooks on loading, spawns a new system process and likely attempts to inject the...
EUVD-2026-37775
Hermes Agent before 0.16.0 creates responsestore.db and webhooksubscriptions.json with world-readable permissions mode 0o644, exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including...
EUVD-2026-37780
A security vulnerability has been detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. Affected is an unknown function of the file /index.php of the component Student Self-Registration Endpoint. The manipulation leads to improper access controls. Remote...
EUVD-2026-37795
Pimcore CMS/DXP version 12.3.8 contains a sandbox bypass vulnerability that allows authenticated administrative attackers to execute arbitrary methods on PHP objects by exploiting empty checkMethodAllowed and checkPropertyAllowed implementations in the custom Twig SecurityPolicy. Attackers can...
Malicious code in syncagents (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 ab19812d31784aada2fb7c8165db286c96871bd8645568766ffc22c070fd3bf2 During import, package loads embedded native extension module. This library hooks on loading, spawns a new system process and likely attempts to inject the...
Malicious code in boardflow (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a7f48df7609edb5bab9d9e572f093994d071165578a58032a69392d62b08b86 On pip install boardflow, setup.py spawns a background thread that fetches http://pooron.org/test.exe over plain HTTP into the OS temp directory and...
Roblox developers are losing entire games to malware attacks
Account theft usually ends with someone losing a password. This one ends with hackers walking off with the entire game. Developers behind some of Roblox's millions of games told 404 Media that attackers persuaded them to run a single file. Then they watched their group, their game, and their Robu...